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DIGITALEUROPE proposes 5 key 
recommendations for a successful 
implementation of Strong Customer 
Authentication (SCA) 


O N$" 4 Introduction 


DIGITALEUROPE welcomes regulatory and market initiatives that make electronic 
payments more secure and advocate the principle behind the regulation on Strong 
Customer Authentication (SCA). DIGITALEUROPE believes that safe and secure 
electronic payments are the cornerstone of a successful European digital economy, 
where the consumer is protected both through law and industry practices. 


DIGITALEUROPE understands that full, efficient and effective implementation of the 
regulation on SCA requires an unprecedented effort from the whole industry, including 
the majority of European consumers and merchants. However, if the regulation on 
SCA were to be strictly applied and enforced as of the 14" of September 2019, the 
whole European economy, and especially the digital economy, would suffer a shock 
which Europe cannot and should not afford. The European e-commerce industry has 
been growing at a sustained pace for years. It is expected to reach a turnover of 621 
billion euros in 2019 and keep double-digit growth rates of over 13 percent.' More 
than 75.000 companies? in Europe are part of this industry. Many of them are small 
and dependent on e-payment services. 


The SCA implementation requires important but major changes at all levels — the 
technology, the infrastructure, but also our habits and existing processes. The industry 
has been working hard since the announcement of the Regulatory Technical 
Standards in order to bring about this change. DIGITALEUROPE believes, in 
agreement with the majority of market participants, that a lot of work is still ahead of 
us. Namely, not only are there payment service providers (PSPs) lagging behind in 


1 Retaildetail.eu, European e-commerce continues to flourish, 2019 
2 Eurocommerce, European B2C ecommerce still growing fast, with national markets moving at different 
speeds, 2018 
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their preparations to meet SCA requirements, but many merchants across Europe are 
also not ready to use the new solutions and infrastructures, all while consumer 
awareness is still very low. 


In light of the above, DIGITALEUROPE welcomes the opinion of both the European 
Banking Authority (EBA) and an increasing number of National Competent Authorities 
(NCAs) that, instead of hard enforcement of the SCA rules, a transition period should 
be provided by the relevant authorities in order to ensure a smooth and effective 
transition for the long tail of all affected stakeholder groups. We understand, however, 
the challenges of providing such transition period, with the biggest challenge of them 
all being the threat of market fragmentation and inconsistency across Europe. In 
addition, DIGITALEUROPE calls on policymakers to consider introducing a permanent 
and targeted exemption for remote and unconnected environments. This is in line with 
EBA’s rationale of establishing an exemption where the use of strong customer 
authentication may not always be easy to apply due to operational reasons. In the 
section below, DIGITALEUROPE would like to point out some key aspects and 
requirements, along with our recommendations, in order to ensure an effective and 
harmonised European approach to the phased implementation of SCA rules. 


DIGITALEUROPE ` s recommendations 


Recommendation 1: A harmonised, European transition period, 
with a duration of 18 months 


By far the biggest challenge and fear with regards to a transition period for SCA 
implementation is a potentially fragmented European market, which could harm 
cross-border e-commerce transactions and make it extremely difficult for 
merchants operating in several countries to adapt to the various national 
approaches. Therefore, DIGITALEUROPE strongly recommends a harmonised, 
European approach to provide a transition period with the same deadlines in all 
EU member states. Based on discussions with the industry, DIGITALEUROPE 
considers a duration of 18 months (with a final deadline of 14 March 2021) to 
be a reasonable, compromise solution which would allow all relevant European 
stakeholders to get ready, including the onboarding of the long tail of merchants 
and consumers. 
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Recommendation 2: Harmonised and monitored roadmaps 


Apart from providing a clear and harmonised final deadline for compliance 
across the whole of Europe, the relevant authorities are encouraged to draw up 
a simple, harmonised roadmap with interim milestones and deadlines, to be 
applied uniformly in all EU member states and monitored by National 
Competent Authorities (NCAs). DIGITALEUROPE recommends the following 
simple roadmap: 


1. By 14 September 2019, all PSPs shall prepare and submit to their 
respective NCAs communication plans, based on which they will reach 
out to all their merchants and consumers with all relevant and necessary 
information on SCA. 

2. By 14 March 2020, all PSPs shall fully have executed their 
communication plans to the industry. 

3. By 14 September 2020, all PSPSs shall have fully operational SCA 
solutions and systems readily available and functioning properly, while 
all merchants shall be technically ready to use the systems on their 
end. 

4. By 14 March 2021, all European consumers shall be enrolled in at 


least one SCA-compliant solution. 


Recommendation 3: Permission not to use SCA or to use 
legacy solutions for SCA during the transition period 


Even with the best of intentions, it will be extremely difficult to achieve full 
harmonisation across Europe. Furthermore, some PSPs and merchants will 
inevitably be ready earlier, while some later. A certain discrepancy in the level 
of readiness will necessarily exist. In order to move from a non-SCA world to an 
SCA world as smoothly as possible, and in order to avoid unnecessarily or 
mistakenly declined transactions, all NCAs shall allow all PSPs (irrespective of 
their level of readiness and speed of becoming ready): 


1. not to decline transactions which are sent without the data and 
information necessary for SCA; 

2. to use legacy/existing authentication solutions without changing 
current provisions on the allocation of liability for fraud between 


merchants and PSPs 


until the final compliance deadline of 14 March 2021. 
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Recommendation 4: Clear and timely communication by NCAs 
and the EBA 


As the regulation on SCA soon takes effect, all relevant stakeholders need a 
clear communication from their respective authorities on what they should 
expect with regards to the enforcement of the regulation. It is understandable 
and reasonable that achieving harmonisation across Europe in such a complex 
matter takes a lot of time and effort from all parties involved, thus full clarity is 
difficult to expect before 14 September 2019. However, in order to avoid a high 
transaction decline rate, the industry needs a strong and clear signal from all 
NCAs in all countries whether flexible enforcement will be granted. It also 
needs to clearly understand what to expect after the regulation takes effect. A 
good example of this practice is in the recent announcements of the Italian and 
the Dutch central banks, as well as in an earlier announcement in France. 
Furthermore, the EBA and the NCAs are strongly encouraged to communicate 
their final and fully comprehensive decisions in a timely manner. 


Recommendation 5: Introduce a permanent and targeted 
exemption for remote and unconnected environments. 


The provision of online connectivity and online sales on board aircraft, ships 
and other remote areas, such as oil platforms, is a growing service sector. At 
present, there are no technological solutions able to effectively address all 
potential methods banks may utilise to comply with SCA. As a concrete 
example, if SCA rules were to apply in remote, unconnected environments such 
as airplanes, a passenger that intends to purchase a Wi-Fi package onboard 
would first need to receive a verification code (called dynamic link) via 
SMS/email/push notification that verifies the legitimacy of its transaction, before 
the Wi-Fi service is purchased. If the passenger cannot receive the verification 
code due to connectivity issues in the plane, the SCA rules will require the 
cardholder’s bank to decline the transaction. This would result in passengers 
unable to purchase in-flight Wi-Fi and in substantial revenue losses for several 
actors in the value chain. Applying SCA rules in remote and unconnected 
environments is also difficult considering that card issuers are free to choose 
their preferred method of secondary authentication. Providing the means for all 
possible authentication methods at all times is not feasible. 


A second and equally important challenge is about passenger payments in an 
unconnected (offline) environments where no external connectivity is available. 
Giving passengers the option to purchase a variety of onboard goods and 
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services (food, drink, Pay-Per-View) via their personal electronic device or 
inflight entertainment system is increasingly popular. The market for 
infotainment content is growing. However, if SCA were to apply in unconnected 
environments such as airplanes, providing these infotainment services would 
become impossible. Only a permanent and targeted exemption for remote and 
unconnected environments, similar to the one granted to unattended terminals 
for transport fares and parking fees, would bring clarity in the industry and 
properly recognise the legitimacy of such payment environments. We therefore 
urge policymakers to consider this exemption and implement it as soon as 
possible. 


FOR MORE INFORMATION, PLEASE CONTACT: 


ku Vincenzo Renda 


Senior Policy Manager for Digital Industrial Transformation 
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About DIGITALEUROPE 
PEST a i hci chek i ad a eh a ag a gl a ee ena 1 
DIGITALEUROPE represents the digital technology industry in Europe. Our members include l 
some of the world’s largest IT, telecoms and consumer electronics companies and national l 
associations from every part of Europe. DIGITALEUROPE wants European businesses and l 
citizens to benefit fully from digital technologies and for Europe to grow, attract and sustain the l 
world’s best digital technology companies. DIGITALEUROPE ensures industry participation in l 
the development and implementation of EU policies. i 
l 


DIGITALEUROPE Membership 


Corporate Members 


Airbus, Amazon, AMD, Apple, Arçelik, Bosch, Bose, Bristol-Myers Squibb, Brother, Canon, Cisco, 
DATEV, Dell, Dropbox, Epson, Ericsson, Facebook, Fujitsu, Google, Hewlett Packard Enterprise, 
Hitachi, HP Inc., HSBC, Huawei, Intel, Johnson & Johnson, JVC Kenwood Group, Konica Minolta, 
Kyocera, Lenovo, Lexmark, LG Electronics, Loewe, MasterCard, METRO, Microsoft, Mitsubishi Electric 
Europe, Motorola Solutions, MSD Europe Inc., NEC, Nokia, Nvidia Ltd., Océ, Oki, Oracle, Palo Alto 
Networks, Panasonic Europe, Philips, Pioneer, Qualcomm, Ricoh Europe PLC, Rockwell Automation, 
Samsung, SAP, SAS, Schneider Electric, Sharp Electronics, Siemens, Siemens Healthineers, Sony, 
Swatch Group, Tata Consultancy Services, Technicolor, Texas Instruments, Toshiba, TP Vision, Visa, 


VMware, Xerox. 


National Trade Associations 


Austria: IOÖ 

Belarus: INFOPARK 
Belgium: AGORIA 
Bulgaria: BAIT 

Croatia: Croatian 
Chamber of Economy 
Cyprus: CITEA 
Denmark: DI Digital, IT 
BRANCHEN 

Estonia: ITL 

Finland: TIF 

France: AFNUM, Syntec 
Numérique, Tech in France 


Germany: BITKOM, ZVEI 
Greece: SEPE 

Hungary: IVSZ 

Ireland: Technology Ireland 
Italy: Anitec-Assinform 
Lithuania: INFOBALT 
Luxembourg: APSI 
Netherlands: Nederland ICT, 
FIAR 

Norway: Abelia 

Poland: KIGEIT, PIIT, ZIPSEE 
Portugal: AGEFE 

Romania: ANIS, APDETIC 


Slovakia: ITAS 
Slovenia: GZS 

Spain: AMETIC 

Sweden: Foreningen 
Teknikföretagen i Sverige, 
IT&Telekomféretagen 
Switzerland: SWICO 
Turkey: Digital Turkey Platform, 
ECID 

Ukraine: IT UKRAINE 
United Kingdom: techUK 


